[LARTC] failover strategies - failing open vs. failing closed.

[Jose Luis Araujo]

Hi.

Sorry for the delay. Hope you are still interested in the idea.

Kelly Jeglum wrote:

>I'd like to setup a box with 2 NICs as a firewall which will also rate
>limits outbound traffic.  What happens when/if that box hangs or is
>rebooted?
> =20
>
If you are doing NAT or routing, the you need to use VRRPD with two=20
machines.

>I'd like a solution that when there is a failure, traffic can still go
>through the box even though the firewall and rate limiting functions wil=
l no
>longer be in effect. =20
> =20
>
If on the other hand you want just the rate limiting, then you can try=20
something. It only has a drawback, the switch that you will use must=20
have Vlan and STP.

The trick is this, you choose three ports, and assign those to, say vlan =

2, then choose another 3 ports and assign those to vlan 3.

Enable STP on both Vlan's, increase the portcost on one port on each=20
Vlan, and use a crossed cable to link them.
Connect a port from each Vlan to the bridge/rate limiter.
Connect the remaining port to your inner router, and to your outer router=
=2E

Now, the idea is, the Vlan will divide the switch virtually, traffic=20
from vlan 2 won't go to vlan 3, only if they are physically connected,=20
they behave like two switches (witch will also work, provided that the=20
switches permit VTP). When everything is working properly, the switch=20
will see two links from vlan 2 to vlan 3 and will disable the one with=20
the higher cost (the cross cable), then all your traffic will flow=20
thought the bridge.
If the bridge stops,hangs is disconnected, the switch will only see one=20
link (the cross cable) and will enable it, bypassing the bridge.

I have this setup in operation now, and it works great.

For those wondering, it is using a cisco 2900XL and the fallback time is =

from 30 to 50 seconds.

Hope it helps

Jos=E9 Ara=FAjo